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Abstract 

The  Diffie-Hellman  key  exchange  scheme  is  a  standard 
component  of  cryptographic  protocols.  In  this  paper,  we 
propose  a  way  in  which  protocols  that  use  this  computa¬ 
tional  primitive  can  be  verified  using  formal  methods.  In 
particular,  we  separate  the  computational  aspects  of  such 
an  analysis  from  the  formal  aspects.  First,  we  use  Strand 
Space  terminology  to  define  a  security  condition  that  sum¬ 
marizes  the  security  guarantees  of  Diffie-Hellman.  Once 
this  property  is  assumed,  the  analysis  of  a  protocol  is  a 
purely  formal  enterprise.  (We  demonstrate  the  applicability 
and  usefulness  of  this  property  by  analyzing  a  sample  pro¬ 
tocol)  Furthermore,  we  show  that  this  property  is  sound 
in  the  computational  setting  by  mapping  formal  attacks  to 
computational  algorithms.  We  demonstrate  that  if  there  ex¬ 
ists  a  formal  attack  that  violates  the  formal  security  condi¬ 
tion,  then  it  maps  to  a  computational  algorithm  that  solves 
the  Diffie-Hellman  problem.  Hence,  if  the  Diffie-Hellman 
problem  is  hard,  the  security  condition  holds  globally. 


1  Introduction 

Consider  this  simplified  version  of  the  TLS  [5]  protocol: 


1.  G- 

G 

2.  S'- 

^C: 

S  [9^]ks 

3.  G- 

^  S: 

{9^]ko 

A.  S - 

C  : 

{\T2GS\}k' 

where 

•  Ti,  T2  are  fixed  tags  to  distinguish  the  third  message 
from  the  fourth, 

•  is  the  message  M  together  with  a  signature 
that  can  be  verified  using  the  public  key  Kx, 
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•  is  the  message  M  encrypted  with  the  symmet¬ 
ric  key  K', 

•  g  ha  generator  for  some  large  group  G, 

•  X,  y  are  randomly  chosen  elements  of  {1, 2, . . .  |G|}, 
and 

•  K'  h  a  symmetric  key  created  by  hashing  the  value 

gxy_ 

Informally,  we  note  that  the  security  of  this  protocol 
must  depend  on  the  secrecy  of  and  recall  the  widely- 
known  Diffie-Hellman  problem: 

Given  a  group  G,  a  generator  g,  g^  and  g^  for 
x,y  picked  randomly  from  {1, 2, . . .  |G|},  calcu¬ 
late  the  value  g^^. 

Although  the  complexity  of  the  Diffie-Hellman  problem  is 
not  known,  there  exist  groups  over  which  it  is  widely  be¬ 
lieved  to  be  unsolvable  (even  on  average)  by  any  efficient 
algorithm. 

However,  the  hardness  of  the  Diffie-Hellman  problem 
does  not  guarantee  the  security  of  this  protocol.  What  is 
required  is  a  proof,  made  using  the  assumptions  and  proof 
techniques  of  some  model.  One  such  model  would  be  that 
of  computational  cryptography:  the  study  of  cryptography 
using  the  tools  of  complexity  theory.  A  proof  in  this  model 
would  begin  by  assuming  that  there  exists  an  adversary  (i.e., 
an  efficient  algorithm)  that  can  break  the  security  of  the  pro¬ 
tocol.  It  would  then  show  that  if  such  an  adversary  exists, 
there  must  also  exist  a  second  adversary'  that  can  either 
forge  a  signature,  break  symmetric  encryption,  or  solve  the 
Diffie-Hellman  problem. 

Since  the  formal  definition  of  the  Diffie-Hellman  prob¬ 
lem  (given  in  Section  2)  is  complexity-theoretic  in  nature, 
this  model  might  be  the  most  natural  one  to  apply.  Unfor¬ 
tunately,  natural  models  are  not  necessarily  the  easiest  to 
use.  Although  the  computational  model  is  sound  and  proofs 
in  that  model  are  strong,  it  is  difficult  to  work  in.  A  sim¬ 
pler  and  more  intuitive  framework  is  the  Dolev-Yao  model 

’  Typically  using  the  first  adversary  as  a  component. 
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[6],  which  grew  out  of  the  formal  methods  community.  In¬ 
stead  of  considering  all  possible  adversaries  (as  in  the  pre¬ 
vious  case)  this  model  typically  considers  only  a  restricted 
class.  In  particular,  the  adversaries  of  this  model  operate  by 
choosing  —  non-deterministically  and  repeatedly  —  from  a 
small  and  explicitly  enumerated  set  of  operations.  A  proof 
of  security  in  this  model  is  generally  a  demonstration  that 
all  combinations  of  those  operations  (together  with  the  op¬ 
erations  performed  by  the  honest  participants)  are  ‘safe’. 

We  would  prefer  to  use  the  Dolev-Yao  model  to  perform 
analyses.  It  is  simple  to  use,  and  can  be  automated.  Even 
when  used  manually,  powerful  general  theorems  allow  indi¬ 
vidual  protocols  to  be  proven  secure  in  a  quick  and  straight¬ 
forward  way.  However,  since  the  Diffie-Hellman  problem 
is  computational  in  nature,  it  is  not  yet  clear  how  to  incor¬ 
porate  it  into  a  formal  approach. 

In  this  paper  we  will  propose  one  such  incorporation.  In 
particular,  we  attempt  to  separate  the  formal  aspects  of  a 
protocol  analysis  from  the  computational  ones.  We  do  this 
in  two  steps: 

1 .  We  propose  a  security  property  which  reflects  (in  the 
formal  setting)  the  difficulty  of  the  Diffie-Hellman 
problem.  That  is,  we  propose  a  condition  which  states 
(informally)  that  if  honest  participants  use  a  shared  se¬ 
cret  such  as  only  in  certain  ways,  the  adversary  can 
never  learn  it.  This  property  is  natural  and  simple.  It 
applies  to  a  large  class  of  real-world  protocols,  and  is 
extremely  useful  in  their  analysis.  (We  demonstrate  its 
use  on  the  protocol  that  begins  this  paper.)  Thus,  once 
this  property  is  assumed,  the  analysis  of  the  protocol  is 
firmly  in  the  domain  of  formal  methods. 

2.  However,  we  also  show  that  this  property  can  be  justi¬ 
fied  using  the  techniques  of  the  computational  model. 
To  this  end,  we  give  a  mapping  from  formal  attacks 
to  computational  algorithms.  We  show  that  any  attack 
which  violates  the  global  property  results  in  an  effi¬ 
cient  algorithm  that  solves  the  Diffie-Hellman  prob¬ 
lem.  Hence,  if  Diffie-Hellman  is  hard,  then  no  for¬ 
mal  attack  violates  the  property,  and  thus  the  property 
holds  globally. 

The  paper  is  structured  as  follows.  We  begin  by  dis¬ 
cussing  some  background  material  on  the  Diffie-Hellman 
problem  (Section  2).  We  extend  the  Dolev-Yao  model,  as 
represented  by  the  Strand  Space  method  [12],  to  include 
language  appropriate  to  the  Diffie-Hellman  problem  (Sec¬ 
tion  3).  We  then  introduce  our  security  condition  via  an 
informal  discussion  (Section  4).  We  demonstrate  the  appli¬ 
cability  of  this  security  condition  by  using  it  to  analyze  the 
protocol  that  begins  this  paper  (Section  5).  We  then  jus¬ 
tify  the  property  by  giving  a  mapping  from  formal  attacks 
to  computational  algorithms  (Section  6.1),  and  showing  that 


any  formal  attack  that  violates  the  property  results  in  a  com¬ 
putational  algorithm  that  solves  Diffie-Hellman  efficiently 
(Section  6.2).  We  finish  with  a  discussion  of  related  results 
and  possible  future  work  (Section  7). 

2  The  Diffie-Hellman  Problem 

In  the  simplest  form  of  the  Diffie-Hellman  scheme,  ev¬ 
eryone  is  assumed  to  know  a  large  cyclic  group  G  and  a 
generator  g.  If  two  entities  A  and  B  wish  to  agree  on  a 
secret  random  value,  then 

•  A  chooses  a  random  element  a;  €  { 1 . . .  |  G  | }  and  sends 
to  B  the  value  g^,  and 

•  B  chooses  a  random  element  y  G  {l...|G|}  and 
sends  to  A  the  value  g^ . 

The  random  value  upon  which  they  have  agreed  is  g^^, 
which  both  can  calculate: 

•  A  can  calculate  g^^  from  x  and  g^  via  (g^)^  =  g^^ 
and 

•  B  can  calculate  g^^  from  y  and  g^  via  {g^Y  =  g^^. 

Note  that  the  scheme  provides  no  authentication.  Al¬ 
though  A  can  be  sure  that  the  secret  value  g^^  is  known 
only  to  A  herself  and  the  entity  that  generated  y,  A  can¬ 
not  tell  who  that  entity  is.  Authentication  and  identification 
must  be  ensured  by  some  other  mechanism. 

The  scheme  is,  however,  assumed  to  provide  secrecy  in 
the  sense  that  no  agent  other  than  A  and  B  is  able  to  learn 
the  value  This  the  Diffie-Hellman  problem,  given  in¬ 
formally  in  the  introduction.  The  Diffie-Hellman  assump¬ 
tion  is  that  the  Diffie-Hellman  problem  is  intractable  for 
certain  families  of  groups.  More  formally:^  A  group  family 
is  a  set  of  finite  cyclic  groups  Q  =  {Gp}  where  p  ranges 
over  an  infinite  index  set.  The  parameter  p  encodes  the 
group  parameters.  We  assume  that  there  exists  an  efficient 
(polynomial-time)  algorithm  that,  given  p  and  two  elements 
of  Gp,  outputs  the  sum  of  the  elements.  An  instance  gen¬ 
erator  for  Q  =  {Gp}  is  a  randomized  algorithm  IG  which, 
when  given  a  natural  number  p  (represented  in  unary),  runs 
in  time  polynomial  in  p  and  outputs  {p,  g)  where  p  is  a  ran¬ 
dom  index  and  (/  is  a  generator  for  Gp.  The  parameter  p  is 
known  as  the  secruity  parameter.  It  is  assumed  that  if  Gp  is 
a  group  generated  by  IG(1’*),  then  every  element  of  Gp  can 
be  represented  with  a  number  of  bits  polynomial  in  p.  Note 
that  for  a  given  p,  IG(1’*)  induces  a  distribution  on  the  set 
of  indices. 


^Most  of  this  exposition  is  taken  from  [4]. 
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Definition  1  The  computational^  Diffie-Hellman  assump¬ 
tion  is  that  no  adversary  can  maintain  a  polynomial  chance 
of  producing  from  randomly  chosen  and  g^  as  rj  in¬ 
creases: 

3Q.  V  PPT  algorithms  A.  Vc  >  0.  V  sufficiently  large  rj 

Pr[  (p,p)  ^  IG(1’'); 

^  k{p,g,g-,gy)  : 

9^  =  9^^  ]<^ 

(The  notation  “V  sufficiently  large  77”  is  equivalent  to 
3?7o-V?7  >  rjo-  The  notation  Vy[A]B  :  C]  is  equivalent 
to  Pr[C|^,  B]  where  A  and  B  are  experiments  run  in  se¬ 
quence.  The  notation  x  ^  D  means  the  x  is  drawn  from 
the  distribution  D.  If  D  is  a  probabilistic  algorithm/  then 
X  is  drawn  from  the  distribution  created  by  running  that  al¬ 
gorithm  with  random  ‘coin  flips’.  If  D  is  a  set,  then  the 
uniform  distribution  is  assumed.) 

The  Diffie-Hellman  problem  and  its  applications  have 
been  well-studied  in  the  world  of  computational  cryptog¬ 
raphy.  It  has  even  gained  acceptance  in  applied  cryptog¬ 
raphy,  and  is  used  for  key-agreement  in  such  widespread 
protocols  as  SSH  [13]  and  TLS  [5].  Note,  however,  that  the 
Diffie-Hellman  assumption  is  a  statement  about  the  asymp¬ 
totic  nature  of  probabilities,  and  hence  is  inherently  compu¬ 
tational  in  nature.  The  main  purpose  of  this  work  is  to  show 
how  such  computational  statements  and  assumptions  can  be 
incorporated  into  the  formal  setting. 

3  Strand  Spaces 

Rather  than  consider  all  formal  protocol  analysis  meth¬ 
ods,  we  will  focus  upon  the  Strand  Space  method.  The 
standard  model  is  described  in  [11,  12];  here,  we  focus 
on  the  extensions  necessary  to  examine  the  Diffie-Hellman 
scheme.  The  extensions  fall  into  two  broad  categories:  ex¬ 
tensions  to  the  algebra  and  extensions  to  the  adversary. 

3.1  Extensions  to  the  Algebra 

We  will  extend  and  modify  the  algebra  of  previous  strand 
space  work  in  three  ways. 

First,  we  add  an  additional  type  T)  for  Diffie-Hellman 
exchanges.  We  will  use  di,  ^2. . .  as  elements  of  T),  and  we 
assume  there  exists  an  operation 

DH-.V  xV 

^As  opposed  to  the  decisional  Diffie-Hellman  assumption,  which  is  the 
much  stronger  assumption  that  it  is  hard  to  distinguish  the  Diffie-Hellman 
value  from  a  random  group  element  .  For  the  rest  of  this  paper,  the 
“Diffie-Hellman  problem”  refers  to  the  computational  version. 

“^Meaning  one  that  has  access  to  a  tape  of  random  bits. 


to  represent  the  Diffie-Hellman  operation.  We  denote  the 
range  of  DH  by  T>dh-  In  the  literature  and  in  practice,  the 
notation  g^  may  be  used  as  both  a  computational  and  for¬ 
mal  variable,  and  g^^  used  instead  of  the  admittedly  cum¬ 
bersome  DH(fii,  (i2)-  In  contexts  where  the  model  is  clear, 
this  overloading  of  notation  presents  no  difficulty.  In  this 
work,  however,  we  are  interested  in  the  exact  relationship 
between  the  formal  and  computational  models.  Hence,  we 
distinguish  between  the  two  by  using  the  notation  di,  d2 
and  DH((ii,  ((2)  for  the  formal  model,  and  the  notation  g^, 
gy  and  g^^  for  the  computational  model. 

Also,  one  of  our  ultimate  goals  is  to  enable  the  analysis 
of  protocols  like  TLS,  SSH,  and  the  one  at  the  beginning 
of  this  paper.  These  protocols  use  signatures  and  hashing, 
requiring  us  to  add  these  two  operations  to  the  Strand  Space 
algebra.^  Signing  a  term  is  not  assumed  to  hide  the  message 
in  any  fashion.  Hashing  a  term  is  assumed  to  result  in  a  key 
appropriate  for  symmetric  encryption.  We  will  assume  that 
keys  for  symmetric  encryption,  signature  generation,  and 
signature  verification  are  mutually  disjoint,  and  that  sym¬ 
metric  encryption  keys  created  through  hashing  are  disjoint 
from  those  created  directly. 

Lastly,  we  will  later  require  that  each  element  of  the 
Strand  Space  algebra  have  a  unique  encoding  into  bit- 
strings.  Many  encryption  and  signature  schemes,  how¬ 
ever,  are  inherently  probabilistic.  An  encryption  might  have 
many  different  bit-string  representations,  and  the  one  cho¬ 
sen  depends  on  the  random  bits  used  in  the  encryption  pro¬ 
cess.  To  represent  this,  we  will  add  an  additional  type  of 
atomic  term  called  a  randomness  (TZ).  The  formal  encryp¬ 
tion  operator  will  continue  to  be  injective,  but  now  take  ran¬ 
domness  as  an  additional  operator.  We  will  also  allow  ran¬ 
domness  to  be  in  the  plaintext  of  encryptions,  filling  the  role 
of  nonces  in  protocols.® 

To  combine  and  formalize  these  modifications: 

Definition  2  The  set  of  terms  A  is  (now)  assumed  to  be 
freely  generated  from  four  disjoint  sets: 

•  r  C  A  which  contains  predictable  texts, 

•  C  A  which  contains  unpredictable  random  values, 

•  /CCA,  which  contains  keys,  and 

•  T)  C-  A  which  contains  Diffie-Hellman  values. 

The  set  of  keys  (1C)  is  divided  into  three  disjoint  sets: 

•  signature  keys  (K-sig), 

•  verification  keys  (ICver),  ond 

^We  will  not  consider  asymmetric  encryption  in  this  work,  though  we 
hope  that  it  is  clear  how  to  incorporate  it. 

^Previously,  we  defined  nonces  to  be  a  particular  sub-type  of  texts  (T). 
Now,  due  to  their  special  use  in  encryptions,  we  will  distinguish  nonces 
and  texts. 
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•  keys  for  symmetric  encryption  (ICsym)- 
Compound  terms  are  built  by  five  operations: 

•  hash  :  A  — >  K-Sym,  representing  hashing  into  keys. 
We  will  denote  the  range  o/hash  by  IChash- 

•  encr  :  ICsym  x  x  7^  — >  yl,  which  represents  encryp¬ 
tion.  We  denote  the  range  o/encr  by  £. 

•  sig  :  K-sig  y.  Ay.  TZ  ^  A  which  represents  signing  a 
message.  We  denote  the  range  o/sig  by  S. 

•  join  :  Ay  A  ^  A  which  represents  concatenation  of 
terms. 

•  DH:V  X  I?  — >  I?,  which  represents  the  Diffie-Hellman 
operation.  (As  mentioned  previously.  We  denote  the 
range  o/DH  by  Vuh-) 

We  will  now  write  enct^K,  M,  r)  as  {|M|}^.  We  will  also 
write  s\g{K,  M,  r)  as  [M]^. 

To  use  the  machinery  of  the  Strand  Space  model,  we 
must  define  the  subterm  relation.  The  subterm  relation 
in  previous  Strand  Space  work,  denoted  C,  denoted  what 
could  be  learned  from  a  message.  That  is,  M  IZ  TV  iff  M 
could  be  derived  from  N  through  repeated  separations  and 
decryptions: 

Definition  3  We  say  that  M  is  a  subterm  of  N,  written 
M  \ZN,  if: 

•  M  =  N,  or 

•  if  N  =  N'  N",  then  M  n  N'  or  M  C  N", 

•  if  N  =  {|iV'|}^,  then  M  Z  N', 

•  if  N  =  [TV']^,  then  M  Z  N'. 

In  particular,  it  is  assumed  that  symmetric  encryption  would 
not  reveal  the  key  used  to  encrypt,  so  K  if  {|M|}^  unless 
K  n  M. 

In  this  work,  we  use  a  new  operation,  to  mean  not 
only  what  could  be  learned  from  a  term  but  also  what  must 
be  used  in  its  creation.  To  distinguish  this  new  relation  from 
the  standard  subterm  relation,  we  use  a  different  name: 

Definition  4  We  say  that  M  is  an  ingredient  of  N,  written 
M  fN,  if: 

•  M  =  N,  or 

•  ifN  =  hash  (TV')  G  K-kash,  then  M  f  TV', 

•  if  N  =  DH((ii,  d2),  then  M  f  di  or  M  f  d2, 

•  ifN  =  {|TV'|}^,  then  M  fN'  orM  fK, 

•  ifN  =  [TV']^,  then  M  <N'  or  M  fK. 


Note  that  it  is  not  necessarily  the  case  that  r  ^  {WVk- 
While  we  assume  that  no  one  can  produce  an  encryption 
without  knowing  the  plaintext  and  key,  we  cannot  make  this 
same  assumption  about  the  randomness  used  in  the  encryp¬ 
tion  process.’ 

Similarly  to  origination,  we  can  define  the  first  time  that 
a  value  is  used  on  a  strand: 

Definition  5  A  term  t  arises  on  a  node  n  iff  n  is  an  entry 
point  to  the  set  I  =  {f  :  t  f  f'}. 

3.2  Extending  the  Adversary 

The  next  step  in  the  extension  of  Strand  Spaces  is  to  give 
additional  powers  to  the  adversary.  The  usual  way  this  is 
done  in  the  formal  methods  approach  is  to  give  to  the  ad¬ 
versary  some  small  number  of  unavoidable  operations  and 
to  assume  that  the  underlying  cryptography  ensures  that  no 
other  operations  are  available.  This  is,  in  fact,  the  approach 
we  will  take  with  regard  to  the  new  signature  and  hashing 
operations.  Regardless  of  the  actual  algorithms,  the  adver¬ 
sary  can  always: 

•  Make  any  predictable  text, 

•  Make  fresh  random  values,  which  we  represent  by  al¬ 
lowing  it  to  produce  whatever  it  wants  from  a  distin¬ 
guished  set  TZAdv  C  TZ, 

•  Sign  any  value  it  knows  with  any  signature  key  it 
knows, 

•  Extract  the  “plaintext”  from  a  signed  message,  and 

•  Hash  any  values  it  knows. 

Similarly,  there  are  operations  that  the  adversary  will  al¬ 
ways  be  able  to  apply  to  Diffie-Hellman  values: 

•  The  adversary  can  always  generate  new  Diffie- 
Hellman  values.  Hence,  we  distinguish  the  set  Dp  C 
D  and  allow  the  adversary  to  generate  any  value  in  that 
set.  (We  assume  that  Dp  and  Dpp  are  disjoint.) 

•  Also,  the  adversary  can  always  be  able  to  perform  the 
group  operation  efficiently,  and  hence  can  perform  ex¬ 
ponentiation. 

Should  we  assume  that  these  are  the  only  operations  avail¬ 
able  to  the  adversary?  The  answer  to  this  question  depends 
on  whether  one  wishes  to  prove  security  or  find  flaws.  If  one 
wishes  to  find  flaws,  it  makes  sense  to  assume  a  limited  ad¬ 
versary  (albeit  one  that  might  have  more  powers  than  listed 
above).  Any  flaw  available  to  such  an  adversary  will  remain 

^Indeed,  in  a  deterministic  encryption  scheme  the  ciphertext  is  com- 
pletely  independent  of  the  random  “input.” 
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available  to  the  unlimited  one,  and  limiting  the  adversary’s 
powers  can  make  it  easier  to  automate  a  flaw-finding  tech¬ 
nique.  (This  is  the  approach  taken,  for  example,  in  [10].) 

In  this  paper,  however,  we  wish  to  focus  on  proofs  of  se¬ 
curity.  Hence,  we  wish  to  avoid  any  assumptions  regarding 
the  powers  of  the  adversary  that  we  cannot  justify.  For  this 
reason,  we  will  give  the  adversary  the  power  to  perform  any 
efficient  calculation.  In  keeping  with  the  Dolev-Yao  model, 
we  assume  that  the  underlying  encryption  scheme  is  strong 
enough  to  enforce  the  limited  ability  of  the  adversary  to  pro¬ 
duce  and  manipulate  ciphertexts  and  hashes.  (Recent  work 
[2, 1,  8, 9]  has  begun  to  justify  these  assumptions  in  terms  of 
computational  complexity.)  However,  the  only  assumption 
we  can  make  about  the  underlying  Diffle-Hellman  group  is 
that  the  Diffle-Hellman  problem  is  hard.  Hence,  the  adver¬ 
sary  has  the  power  to  make  general  computations  that  result 
in  Diffle-Hellman  values,  so  long  as  those  computations  are 
efficient: 

Definition  6  A  function  f  is  computable  in  probabilis¬ 
tic  polynomial  time  if  there  exists  a  probabilistic  taring 
machine  M  so  that  for  some  polynomial  q,  for  all  in¬ 
put  X,  M{x)  terminates  in  time  polynomial  in  \x\  and 
Pr  [M{x)  =  fix)]  > 

We  give  to  the  adversary  a  strand  for  every  probabilis¬ 
tic  polynomial  time-computable  function  from  messages  to 
group  elements.  The  efficiency  of  a  given  function  will  de¬ 
pend  upon  the  exact  mapping  from  messages  to  bit-strings; 
we  assume  that  the  encoding  has  been  fixed  and  that  the 
adversary  has  access  to  every  function  that  remains  proba¬ 
bilistic  polynomial  time-calculable. 

Definition  7  A  adversary  strand  is  one  of  the  following: 

M.  Text  message:  where  t  €  T 

R.  Fresh  randomness:  (-fr)  where  r  G  Ti-Adv 

C.  Concatenation:  {—g,  —h,  -\-g  h) 

S.  Separation  into  components:  {—gh,  -\-g,  -\-h) 

K.  Key:  {+K)  where  K  G  JC-p. 

E.  Encryption:  {—K,  —h,  —r,  +{|^|}/f),  where 

K  C.  l^Sym, 

D.  Decryption:  {—K,  — ,  +h),  where  K  G  K-Sym 
a.  Signing:  {—K,  —h,  —r  -f  [hYffi),  where  K  G  K-sig 

X.  Extraction  of  plaintext  from  signatures:  {—  [fi]^  ,  -\-h). 
H.  Flashing:  (— (/, -fhash  ((/)) 

F.  Fresh  Diffie-Hellman  value:  {+d)  where  d  G  Dp 


f.  Computation  of  a  function  f: 

{—Ml,— M2,  —M3, . . . ,  —  M„,  -\-d),  where 
dn  =  /{Ml,  M2,  ■  ■  ■  M„)  and  f  is  computable  in 
probabilistic  polynomial  time. 

Although  the  other  strands  represent  efficient  operations, 
they  are  not  subsumed  by  the  /-strands.  The  /-strands  only 
produce  Diffie-Hellman  values,  while  the  other  strands  (ex¬ 
cept  the  F  strand)  produce  terms  of  other  types. 

4  Derivation  of  the  Security  Property 

With  the  preliminaries  out  of  the  way,  we  are  now  pre¬ 
pared  to  incorporate  the  Diffie-Hellman  assumption  into 
Strand  Spaces.  In  particular,  we  will  define  a  global  con¬ 
dition  over  all  bundles  which  represents  the  security  guar¬ 
antees  provided  by  the  Diffie-Hellman  assumption.  In  this 
section,  we  present  an  informal  derivation  of  this  condition. 
(A  more  formal  consideration  can  be  found  in  Section  6.) 

We  derive  our  global  property  via  the  following  steps: 

•  We  propose  a  formal  adversary  “goal”  which  repre¬ 
sents  the  act  of  solving  the  Diffie-Hellman  problem. 

•  We  argue  that  any  attack  the  formal  adversary  can 
launch  that  accomplishes  the  goal  without  the  help  of 
honest  participants  will  translate  to  an  algorithm  that 
solves  the  Diffie-Hellman  problem.  As  a  result,  if  the 
Diffie-Hellman  problem  is  hard,  then  the  formal  adver¬ 
sary  can  never  accomplish  this  goal  on  its  own. 

•  We  then  consider  the  assistance  that  honest  partici¬ 
pants  might  give  to  the  formal  adversary.  We  provide  a 
pair  of  simple  and  natural  syntactic  restrictions  on  hon¬ 
est  participants,  and  show  they  ensure  that  the  honest 
participants  do  not  help  the  adversary  achieve  its  goal. 

We  finish  with  the  global  property:  if  all  honest  partici¬ 
pants  obey  the  two  restrictions,  then  the  adversary  can  never 
achieve  the  goal. 

In  particular,  the  “goal”  of  our  informal  discussion  will 
be 

Form  a  bundle  where  di,  d2  arise  only  on  regu¬ 
lar  strands  and  DH((ii,d2)  arises  on  a  adversary 
node. 

Intuitively,  this  goal  corresponds  to  the  situation  where  x 
and  y  are  chosen  by  honest  participants  and  kept  secret. 
They  communicate  only  g^  and  g^ ,  and  the  adversary  is 
somehow  able  to  calculate  g^^ . 

Suppose  that  there  is  a  bundle  where  the  adversary  is  able 
to  accomplish  this  goal  without  the  help  of  honest  partici¬ 
pants.  Without  loss  of  generality,  assume  that  the  bundle  ac¬ 
complishes  this  goal  with  only  two  regular  strands:  (+(ii) 
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and  {+d2).  All  other  strands  in  the  bundle  are  adversary 
strands.  Each  adversary  strand  represents  one  calculation, 
and  each  such  calculation  can  be  performed  efficiently.  The 
terms  di,  d2,  and  DH((ii,  ^2)  represent  the  distributions  of 
g^,  gy ,  and  g^^  respectively  (for  randomly  chosen  x  and 
y).  Thus,  the  bundle  represents  an  algorithm  that  takes  in 
g^  and  g^  at  the  two  regular  nodes  and  outputs  g^^  at  the 
node  containing  DH((ii,(i2).  By  composing  these  calcula¬ 
tions  represented  by  the  strands  in  the  order  given  by  the 
structure  of  the  bundle,  one  forms  an  algorithm  that  solves 
the  Diffie-Hellman  problem.  Hence,  if  the  Diffie-Hellman 
problem  is  hard,  then  there  exists  no  bundle  that  achieves 
the  above  goal  without  the  use  of  regular  strands. 

What  about  bundles  that  do  use  regular  strands?  These 
may  prove  to  be  problematic.  There  is  no  restriction  on  the 
form  of  regular  strands,  after  all,  and  so  there  is  no  prohibi¬ 
tion  against  the  strand  (for  example): 

{-du-d2,fm{di,d2))) 

where  /  is  some  easily  invertible  permutation  on  the  un¬ 
derlying  group.  Although  DH((ii,(i2)  does  not  originate 
on  this  regular  strand,  the  strand  allows  it  to  originate  on 
a  adversary  strand  (namely,  the  strand  that  represents  the 
computation  of  /“^). 

If  regular  strands  can  be  of  arbitrary  form  then  it  is  pos¬ 
sible  for  them  to  release  secrets  in  several  ways.  More  im¬ 
portantly,  they  can  represent  the  computation  of  intractable 
functions.  There  is  no  reason  to  assume  that  the  Diffie- 
Hellman  problem  remains  hard  if  the  adversary  has  access 
to  secrets  or  oracles  that  perform  inefficient  calculations. 
Hence,  it  may  be  possible  for  the  adversary  to  achieve  the 
goal  of  solving  Diffie-Hellman  if  it  is  assisted  by  (unre¬ 
stricted)  honest  participants. 

To  surmount  this  difficulty,  it  is  necessary  to  restrict  our 
attention  to  those  regular  strands  that  do  not  provide  assis¬ 
tance  to  the  adversary.  Intuitively,  an  honest  participant  is 
simulatable^  [7]  if  any  message  the  adversary  receives  from 
that  participant  is  indistinguishable  from  one  that  the  ad¬ 
versary  could  generate  itself.®  Hence,  a  simulatable  honest 
participant  is  one  that  gives  no  assistance  to  the  adversary: 
any  help  it  could  give  would  be  already  available. 

Thus,  what  is  required  is  a  natural  and  useful  class  of 
simulatable  regular  strands.  There  are  many  classes  from 
which  to  choose;  we  choose  ours  based  on  such  protocols 
as  TLS  [5],  SSH  [13],  and  the  one  at  the  beginning  of  this 
paper.  These  protocols  share  two  natural  conditions: 

^“Simulatability”  here  means  something  different  than  that  intended  by 
“bisimulation”. 

*Two  probability  distributions  Di  and  Dg  are  indistinguishable  if  (in¬ 
formally)  the  output  distribution  of  an  efficient  (probabilistic  polynomial¬ 
time)  algorithm  A  does  not  noticeably  depend  on  whether  the  input  was 
drawn  from  D\  or  £>2.  Thus,  an  honest  strand  is  simulatable  if  the  adver¬ 
sary  can  produce  a  distribution  indistinguishable  from  that  of  the  honest 
participant’s  output,  but  does  so  without  any  of  the  honest  participant’s 
secrets  or  internal  state. 


1.  Regular  participants  never  calculate  g^^  unless  they 
know  either  x  or  y,  and 

2.  Regular  participants  never  actually  say  g^^,  but  only 
use  it  as  a  source  of  key  material. 

More  formally: 

Definition  8  A  protocol  is  conservative  with  regard  to 
Diffie-Hellman  if,  whenever  a  term  DH((ia,  df)  arises  on  a 
regular  node,  either  da  or  db  arises  only  on  regular  nodes. 

It  would  be  possible  to  insist  on  a  stronger  connection  be¬ 
tween  strands  on  which  g^^  arise  and  the  strands  on  which 
g^  and  g^  arise,  but  it  is  not  necessary  for  our  purposes. 
Also: 

Definition  9  We  say  that  a  protocol  is  silent  with  respect  to 
Diffie-Hellman  if  no  element  ofDjjn  originates  on  a  regu¬ 
lar  node. 

Here,  we  do  mean  “originate”  and  not  “arise”.  The  defi¬ 
nition  allows  elements  of  Doh  to  arise  on  regular  nodes 
so  long  as  they  do  not  originate  there.  That  is,  a  proto¬ 
col  is  silent  with  respect  to  Diffie-Hellman  if,  whenever  g^^ 
arises,  is  it  as  an  ingredient  of  a  symmetric  key. 

Both  of  these  properties  are  purely  syntactic,  and  easy 
to  verify.  Together,  they  ensure  simulatability  (as  we  will 
show  in  Section  6.2.)  Thus,  as  long  as  regular  strands  meet 
these  two  properties,  the  adversary  has  no  noticeable  chance 
of  achieving  the  original  goal.  We  formalize  this  in  a  global 
property: 

Definition  10  (Security  Property  DTi)  Suppose  that  B  is 
a  bundle  over  a  protocol  both  silent  and  conservative  with 
respect  to  Diffie-Hellman.  If  da,  db  €  D  arise  only  on  regu¬ 
lar  strands  in  B,  then  DH((ia,  db)  never  originates  in  B. 

We  demonstrate  the  utility  of  this  condition  by  analyzing 
the  protocol  that  began  this  paper. 

5  An  Example  Analysis 

First,  we  re-visit  some  useful  definitions  and  results  from 
previous  Strand  Space  papers,  and  update  them  for  the  ex¬ 
tended  algebra  and  adversary  of  Definitions  2  and  7. 

Definition  11  A  set  I  Q  A  is  honest  if  all  adversary  entry 
points  to  I  are  on  M,  R,  K,  F,  or  f  strands. 

Definition  12  Let  k  C  K-sym-  Then  a  k-ideal  of  A  is  a  set 
I  Q  A  such  that  for  all  h  G  I,  g  &  A  K  &  k,  r  G  TZ,  and 
Kg  G  ICsig.' 

•  g  h  €  I  and  hg  G  I, 

•  €  I,  and 
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•  [h]K^  G  I- 

We  will  denote  the  smallest  k-ideal  that  contains  S  as 

h  [^]. 

Theorem  1  Suppose  that  S'  C  ^  and  k  C  K-sym  are  such 
that 

•  {,^Sym,  U  K-hash)  C  S  U  /c, 

•  s  n  s  =  0, 

•  s  n  s  =  0, 

•  if  g  h  G  S,  then  g  G  S  or  h  G  S, 

•  i/hash(ft,)  G  S,  then  h  G  S, 

Then  Ik  [S]  is  honest. 

Proof  sketch:  A  case  analysis  on  the  types  of  adversary 
strands  shows  that  entry  points  to  Ik  [S]  cannot  be  on  any 
adversary  strand  but  those  allowed  by  Definition  11.  (A 
fuller  example  of  an  analagous  proof  is  that  of  Theorem 
6.11  in  [12].)  ■ 

Theorem  2  If  K  G  ICsym  is  never  the  term  of  a  node  in 
B,  then  for  any  h  G  A  the  term  {|h|}^  must  originate  on  a 
regular  strand. 

Proof:  Suppose  that  originates  on  a  adversary 

strand.  By  examining  the  forms  of  adversary  strands,  we 
see  that  the  only  strand  on  which  it  can  originate  is  a  E 
strand.  But  in  that  case,  there  is  a  previous  node  on  that 
strand  with  K  as  its  term,  a  contradiction.  H 

Theorem  3  If  K  G  K-hash  is  never  the  term  of  a  node  in 
B,  then  for  any  h  G  A  the  term  {|h|}^  must  originate  on  a 
regular  strand. 

Proof:  The  same  as  that  of  Theorem  2.  H 

Theorem  4  If  Kg  G  K-sig  is  never  the  term  of  a  node  in 
B,  then  for  any  h  G  A  the  term  must  originate  on  a 
regular  strand. 

Proof:  Suppose  that  [/i]^  originates  on  a  adversary 
strand.  By  examining  the  forms  of  adversary  strands,  we  see 
that  the  only  strand  on  which  it  can  originate  is  a  cr  strand. 
But  in  that  case,  there  is  a  previous  node  on  that  strand  with 
Kg  as  its  term,  a  contradiction.  H 

Now  that  we  have  general  theorems,  we  can  apply  these 
to  the  protocol  from  the  beginning  of  the  paper: 

Definition  13  Let  Cl]^,  S',  di,  ^2]  be  the  set  of  strands  of 
the  form: 

{  +  C”: 

- 

-  mcsvj^, 


for  some  ri,  r2,  r^,  G  TZ,  where 

K'  =  hash  (DH(di,  (i2)) 

Definition  14  Let  Sv[C,  S,  di,  ^2]  be  Cl]^,  S,  di,  ^2]  with 
all  the  signs  reversed. 

First  we  prove  that  authentication  from  server  to  client 
is  assured.  That  is,  we  show  that  if  a  client  terminates  its 
execution  of  the  protocol  successfully  (the  bundle  has  an 
entire  Cl[C',  S,  di,  d2]  strand)  then  the  server  finishes  a  cor¬ 
responding  run  of  the  protocol  (the  bundle  has  contains  an 
entire  Sv[C',  S,  di,  d2]  strand): 

Theorem  5  Let  B  be  a  bundle  containing  the  strands  of 
Definitions  7,  13  and  14.  Suppose  that  di,  d2  ^  Dp  and 
uniquely  arise,  that  Kg,  K'  ^  K,p,  and  that  the  Dijfie- 
Hellman  problem  is  hard.  Then  if  B  contains  some  strand 
in  Cl[C,S,di,d2\  of  height  4,  B  must  also  contain  some 
strand  in  Sv]^,  S,  di,  d2]  of  height  4. 

Proof:  Since  Kg  ^  ICp  and  no  member  of  ICsig  origi¬ 
nate  on  regular  strands,  di  must  originate  on  a  regular  strand 
(Theorem  4).  Hence,  both  di  and  d2  uniquely  arise  on  reg¬ 
ular  strands.  Since  the  protocol  of  Definitions  13  and  14  is 
both  silent  and  conservative,  DH(ldi,  d2)  never  originates 
in  B  (Theorem  9).  Since  K'  =  hash  (DH(di,  d2))  ^  ICp, 
K'  is  never  the  term  of  a  node  in  B,  and  so  {IT2  C 
must  originate  on  a  regular  strand  (Theorem  2).  By  inspec¬ 
tion,  it  must  be  node  4  of  Sv]^,  S,  di,  d2].  B 

Now  we  show  the  corresponding  theorem:  that  if  the 
server  finished  a  run  of  the  protocol  (the  bundle  has  con¬ 
tains  an  entire  Sv[C',  S,  di,  d2]  strand)  then  the  client  must 
have  finished  almost  all  of  a  corresponding  run  (the  bun¬ 
dle  has  almost  an  entire  Cl [67,  S,  di,  d2]  strand).  We  cannot 
guarantee  that  the  client  finishes  the  run  since  the  server  has 
no  way  of  knowing  that  the  last  message  of  the  protocol 
actually  arrives: 

Theorem  6  Let  B  be  a  bundle  containing  the  strands  of 
Definitions  7,  13,  and  13.  Suppose  that  di,  d2  ^  Dp  and 
uniquely  arise,  that  Kc,  K'  ^  JCp,  and  that  the  Diffie- 
Hellman  problem  is  hard.  Then  if  B  contains  some  strand 
in  Sv[67,  S',  di,  d2]  of  height  4,  B  must  also  contain  some 
strand  in  Cl  [67,  S,  di,  d2]  of  height  3. 

Proof:  Since  K^,  ^  ICp  and  no  member  of  ICsig  origi¬ 
nate  on  regular  strands,  d2  must  originate  on  a  regular  strand 
(Theorem  4).  Hence,  both  di  and  d2  uniquely  arise  on  reg¬ 
ular  strands.  Since  the  protocol  of  Definitions  13  and  14  is 
both  silent  and  conservative,  DH(ldi,  d2)  never  originates 
in  B  (Theorem  9).  Since  K'  =  hash  (DH(di,  d2))  ^  ICp, 
K'  is  never  the  term  of  a  node  in  B,  and  so  {[Ti  67  S|}^, 
must  originate  on  a  regular  strand  (Theorem  2).  By  inspec¬ 
tion,  it  must  be  node  3  of  Cl [67,  S,  di,  d2].  B 
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As  can  be  seen,  the  global  property  of  Definition  10  leads 
to  very  short  and  simple  proofs  for  a  natural  class  of  pro¬ 
tocols.  In  the  next  section,  we  give  the  promised  formal 
justification  of  this  property. 

6  Diffie-Hellman  in  Strand  Spaces,  Formally 

The  main  idea  behind  our  justification  is  that  there  is  a 
natural  conversion  from  attacks  in  the  formal  setting  (bun¬ 
dles,  in  particular)  to  computational  algorithms.  We  give 
this  conversion  in  this  section,  and  show  that  if  the  bun¬ 
dle  violates  the  global  property  then  the  resulting  algorithm 
solves  the  Diffie-Hellman  problem. 

This  is  not  enough,  however.  To  violate  the  Diffie- 
Hellman  assumption,  we  need  an  algorithm  that  both  solves 
the  Diffie-Hellman  problem  and  is  efficient.  Since  our  con¬ 
version  makes  no  assumptions  about  the  forms  of  regular 
strands,  there  are  no  guarantees  about  the  complexity  of  the 
resulting  algorithm.  In  the  next  section,  we  show  that  if  the 
regular  strands  are  silent  and  conservative,  then  the  result¬ 
ing  algorithm  will  be  efficient.  (Or  rather,  a  slight  variant 
of  the  resulting  algorithm  that  simulates  the  regular  strands 
will  be  efficient.) 

6.1  Relating  Bundles  and  Computational  Algo¬ 
rithms 

A  word  about  how  the  mapping  from  bundles  to  algo¬ 
rithms  will  proceed:  the  resulting  algorithm  will  calculate 
(and  store  in  a  table)  a  value  for  each  node  in  the  bundle  by 
recursing  on  both  the  structure  of  the  bundle  and  the  struc¬ 
ture  of  each  term.  The  recursion  along  the  bundle  structure 
is  relatively  straightforward:  early  nodes  are  calculated  be¬ 
fore  later  ones.  The  recursion  along  message  structure,  on 
the  other  hand,  presents  an  interesting  issue:  how  should  the 
algorithm  build  values  for  compound  messages  from  those 
for  atomic  ones? 

The  algorithm  will  use,  as  black  boxes,  computational 
algorithms  for  encryption,  signing,  and  hashing.  (These  al¬ 
gorithms  are  defined  in  Appendix  A.)  The  mapping  itself 
assumes  no  properties  about  these  sub-algorithms,  meaning 
we  are  free  to  choose  these  sub-algorithms  arbitrarily.  How¬ 
ever,  this  freedom  is  short-lived:  for  efficiency  conditions, 
we  will  later  (Section  6.2)  need  to  assume  that  one  of  these 
algorithms  meets  a  standard  definition  of  security. 

Given  a  formal  bundle  B,  we  will  map  it  onto  an  algo¬ 
rithm  Ag  in  the  following  way: 

Definition  15  Let  (Ge,  E,  D)  be  an  encryption  scheme, 
(Gs,S,V)  be  a  signature  scheme,  and  (Gh,H)  be  a  hash 
scheme.  Let  B  be  a  bundle  over  A.  Then  Ab(1'')  is  the 
following  algorithm: 


•  First,  a  table  T  is  created  to  map  elements  of  A  to  bit- 
strings.  We  assume  that  this  mapping  to  be  consistent 
over  the  entire  bundle.  For  example,  every  instance  of 
K  G  1C  that  occurs  in  B  is  intended  to  “represent”  the 
same  bit-string  throughout  the  strand.  At  the  beginning 
of  the  execution,  this  table  is  empty. 

•  A  group  Gp  <—  IG(1'')  is  generated  for  Diffie- 

Hellman. 

•  A  hash  function  h  <—  Gh(l'')  is  generated  for  hashing. 

•  Each  node  in  the  bundle  is  then  replaced  with  a  bit¬ 
string  value,  starting  with  minimal  nodes  and  working 
forward.  That  is,  a  node  n  is  replaced  with  a  bit-string 
value  Vn  only  after  every  n'  <b  n.  The  exact  manner 
in  which  a  bit-string  is  chosen  for  n  depends  on  the 
sign  of  n  and  the  type  of  strand  on  which  it  lies: 

•  Suppose  that  n  is  a  positive  node  -\-dk  G  T)  and  it  lies 
upon  an  f  strand.  Then: 

-  f  is  a  PPT-computable  function,  and 

-  By  inductive  hypothesis,  values  vi,  V2,  ...Vk-i 
have  already  been  chosen  for  the  nodes  —di, 
— c?2,  . . .  —dk-i  previous  on  the  strand. 

The  value  for  -\-dk  is  chosen  by  running 
U2, . . .  Ufc_i))  and  returning  the  output.  Ad¬ 
ditionally,  this  value  is  stored  for  dk  in  the  table  T  if 
no  value  for  dk  is  already  present  there. 

•  If  n  is  a  positive  node  -\-M  and  it  lies  upon  any  kind 
of  strand  other  than  an  f  strand,  then  there  are  two 
cases: 

-  If  there  exists  a  bit-string  m  in  the  table  T  as  the 
value  for  M,  then  m  is  the  value  returned. 

-  If  M  is  not  in  the  table  T,  it  generates  a  value 
V  for  M.  The  value  v  is  then  stored  in  T  and 
returned.  The  value  v  is  generated  by  recursing 
on  the  structure  of  M: 

*  If  M  is  an  atomic  message,  then  the  value 
V  is  chosen  in  some  appropriate  way.  For 
keys  (which  are  not  in  JChash)  the  appro¬ 
priate  key  generation  algorithm  is  run.  For 
randomness,  random  strings  of  length  Q(r]) 
are  chosen  uniformly  from  {0, (The 
polynomial  Q  here  is  the  same  as  that  in  Ap¬ 
pendix  A.)  Diffie-Hellman  values  (in  D  \ 
Ddh)  tire  created  by  choosing  a  random  el¬ 
ement  x  *—  {!,...  |Gp|}  and  calculating  g^. 
Texts  are  converted  into  bit-strings  in  some 


arbitrary  way.  The  value  is  put  into  the  ta¬ 
ble  T  as  the  value  for  M  and  returned.  (In 
the  case  of  signature  keys,  both  the  signing 
and  verfication  keys  are  stored  in  T.) 

*  If  M  =  hash(M')  then  the  algorithm  re¬ 
cursively  gets  a  value  m!  for  M'.  It  then 
sets  V  =  Ge(l’*,  h(m')).  (Note  that  we  are 
now  considering  Gg  to  be  a  deterministic  al¬ 
gorithm  of  two  inputs,  and  using  the  output 
of  the  hash  as  the  second,  random,  input.) 

*  If  M  =  Ml  M2,  then  the  algorithm  recur¬ 
sively  gets  values  mi  for  Mi  and  m2  for 
M2.  It  returns  v  =  (mi,  mi). 

*  If  M  =  {|Af'|}||  or  then  the  al¬ 

gorithm  recursively  gets  values  m'  for  M', 
r  for  R  and  k  for  K.  It  then  calculates 
V  =  E(m',r,k)  or  v  =  S(m',k'r),  respec¬ 
tively. 

*  If  M  =  DH(c?i,(i2)  then  the  algorithm  re¬ 
cursively  gets  values  for  di  and  for  d2. 
It  calculates  v  =  g^"^.  (Again,  we  note  that 
calculating  g^^  from  g^  and  g^  may  not  be 
efficiently  computable,  but  delay  discussion 
of  this  issue  until  the  next  section.) 

•  Ifn  is  a  negative  node  —M  (on  a  strand  s)  then  there 
exists  in  the  bundle  a  node  +M  so  that  +M  ^  —M. 
By  assumption,  a  value  m'  has  already  be  assigned  to 
the  node  -\-M,  which  means  that  a  value  v  has  been 
assigned  to  M  in  T.  We  accept  v  for  —M  also. 

The  above  algorithm  converts  each  node  of  the  bundle  B 
into  a  bit-string.  We  now  define  what  it  means  for  it  to  have 
performed  the  conversion  correctly: 

Definition  16  Let  B  be  a  bundle  and  Ag  be  the  algorithm 
derived  from  B  as  per  Definition  15.  Then  an  execution 
of  Ag  is  “correct”  when,  for  every  f  strand  in  the  bundle 
and  every  execution  ofMf,  ifKf  is  run  on  {xi,  X2, . . .  Xn)  it 
outputs  f(xi,X2,  .  ■  .  Xn). 

Theorem  7  If  B  is  a  bundle,  then 

Pr  [Aglp)  computes  properly  ]  >  — — 

m) 

for  some  polynomial  q. 

Proof:  If  every  execution  of  M f  properly  calculates  /  (for 
every  /  strand  in  the  bundle )  then  the  algorithm  Ag  properly 
executes.  What  are  the  odds  that  each  execution  of  M/(x) 

*®So  long  as  the  mapping  from  formal  texts  to  finite  bit-strings  is  effi¬ 
ciently  computable  and  deterministic,  it  does  not  matter  how  the  translation 
is  actually  done. 


properly  calculates  f(x)l  By  definition,  the  probability  of 
a  successful  calculation  is  polynomial  in  |a:|.  During  the  ex¬ 
ecution  of  Ag,  M/  will  only  be  executed  on  the  encodings 
of  terms.  Encodings  of  atomic  terms  are  of  length  polyno¬ 
mial  in  rj  by  definition,  or  are  generated  by  algorithms  that 
run  in  time  polynomial  in  p.  Furthermore,  the  encoding  of 
a  compound  term  is  generated  by  a  polynomial  time  algo¬ 
rithm  running  on  the  encodings  of  terms.  Since  the  “depth” 
(or  structure)  of  a  term  is  constant  with  respect  to  rj,  it  must 
be  that  all  encodings  of  terms  have  length  polynomial  in  p. 

Lastly,  we  assume  that  the  random  coinflips  for  each  ex¬ 
ecution  of  M/  are  independent,  and  note  that  the  number  of 
/  strands  in  B  is  constant  with  respect  to  rj.  Hence,  the  odds 
that  all  executions  of  M/  properly  calculate  /  (and  hence  that 
Ag  executes  properly)  is  the  product  of  a  constant  number 
of  probabilities,  all  of  which  are  larger  than  a  polynomial  in 
p.  Hence,  the  probability  that  Ag  executes  properly  is  larger 
than  some  polynomial  in  p.  H 

We  note  that  this  result  is  independent  of  the  choices 
for  encryption,  signature,  and  hash  algorithms.  This  is  be¬ 
cause  the  operations  available  to  the  adversary  with  regards 
to  these  schemes  are  deterministic  (once  the  random  input 
is  fixed).  The  only  probability  comes  in  the  form  of  /- 
strands,  and  each  of  those  are  assumed  to  be  computable 
in  PPT  time.  Hence,  any  bundle  can  be  computed  with  non- 
negligible  probability. 

Theorem  8  Suppose  Ag  correctly  executes,  and  let  T  be 
the  table  at  the  end  of  the  execution.  For  all  di,  d2  G  D,  if 
T(di)  =  g^  and  T(d2)  =  g^,  then  T(DH((ii,  ((2))  =  g^^- 

Proof:  Consider  where  in  the  bundle  the  value 
DH(fii,(i2)  arise.  If  it  only  arises  on  regular  strands, 
then  it  will  be  assigned  the  value  If  it  arises  on  an  / 
strand,  then 

DH(di,d2)  =  /(Mi,M2,...M„) 

where  each  Mi  is  some  message.  It  may  be  that  Mi  =  di 
for  some  di  G  D,  which  may  also  arise  on  an  /'  strand. 
Hence,  it  may  be  that 

DH((ii,  ^2)  =  f(,Mi, . . . ,  f'(Ni, . . .  Nm) . . . ,  M„) 

and  so  on.  But  the  table  T  may  not  contain  the  correct 
evaluations  of  /,  /'  and  so  on.  The  values  in  T  are  cre¬ 
ated  by  running  the  machines  Mj,  Mji  and  so  on.  But  if 
the  algorithm  correctly  executes  then  each  run  of  the  ma¬ 
chine  Mf  correctly  evaluates  /,  and  the  same  for  Mfi  and 
so  on.  Hence,  if  every  /  strand  is  calculated  correctly,  then 
the  value  for  DH((ii,(i2)  in  T  will  be  evaluated  correctly, 
which  gives  it  the  value  of  g^^.  H 

Hence,  if  a  bundle  uses  DH(cii,(i2)  at  any  point,  then 
the  algorithm  can  be  used  to  solve  the  Diffie-Hellman  prob¬ 
lem.  However,  the  algorithm  Ag  may  not  be  computable 
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in  probabilistic  polynomial  time.  The  algorithm  as  de¬ 
scribed  requires  that  the  Diffie-Hellman  problem  be  solved 
for  each  term  DH(c?i,  (^2)  in  the  bundle  that  doesn’t  arise  on 
an  /-strand.  That  is,  if  the  bundle  contains  an  instance  of 
DH(di,  d2)  that  arises  on  a  regular  strand,  the  resulting  al¬ 
gorithm  may  be  forced  to  solve  Diffie-Hellman.  In  the  next 
section,  we  discuss  a  way  around  this  difficulty. 

6.2  Efficiency  Concerns  and  Simulation 

Assume  that  there  exists  a  bundle  where  the  regular 
strands  are  silent  and  conservative  and  which  violates  se¬ 
curity  property  'D'H.  As  shown  in  the  previous  section,  this 
bundle  maps  to  an  algorithm  that  solves  the  Diffie-Hellman 
problem.  However,  the  algorithm  may  not  be  efficient.  In 
particular,  the  algorithm  assigns  the  value  to  the  for¬ 
mal  term  DH((ii,  ^2)  (when  it  also  assigns  to  di  and  g^ 
to  d2)-  This  may  require  the  algorithm  to  solve  the  Diffie- 
Hellman  problem  directly  —  an  operation  we  are  explicitly 
assuming  to  be  inefficient. 

However,  all  adversary  strands  are  efficiently  com¬ 
putable;  the  algorithm  would  only  need  to  solve  Diffie- 
Hellman  when  calculating  the  values  on  regular  strands. 
Furthermore,  we  now  assume  that  all  of  the  regular  strands 
are  conservative,  and  hence  Diffie-Hellman  values  are  only 
used  on  regular  strands  to  make  keys.  Since  we  assume  that 
making  a  key  from  a  Diffie-Hellman  value  involves  hashing 
it  first,  we  can  use  this  to  avoid  an  infeasible  computation. 

The  central  idea  is  that  a  hash  algorithm  can  be  simulated 
by  a  random  function.  In  particular,  we  assume  that  the  hash 
function  is  pseudorandom: 

Definition  17  Let  be  a  family  of  function  families 

with  the  following  two  properties: 

1.  Vr  G  Rri,  r  is  a  function  from  {0, 1}*  to  {0, 


a  random  function.  Hence,  if  we  assume  that  regular  par¬ 
ticipants  make  keys  from  Diffie-Hellman  values  by  hash¬ 
ing  them  with  a  randomly-chosen  hash  operation,  we  can 
simply  choose  random  values  instead.  If  this  modification 
changes  the  output  distribution  of  the  resulting  algorithm, 
then  the  hash  algorithm  is  not,  in  fact,  pseudorandom.  (The 
fact  that  the  regular  strands  are  silent  is  essential  here,  as  we 
will  see  later  in  the  proof.) 

Theorem  9  Suppose  that  the  protocol  H  is  both  silent  and 
conservative  with  respect  to  Diffie-Hellman.  Suppose  that 
exists  a  pseudorandom  hash  algorithm  (Gh,  H)  and  all  func¬ 
tions  f  with  f -strands  in  B  are  probabilistic  polynomial 
time-computable  with  respect  to  (Gh,  H).  If  there  exists  a 
bundle  B  over  a  H  which  violates  the  formal  Diffie-Hellman 
property  DTi,  then  the  computational  Diffie-Hellman  as¬ 
sumption  is  false. 

Proof:  By  assumption,  B  violates  security  property  D'H. 
Then: 

•  di  and  ^2  arise  only  on  regular  strands  in  B, 

•  DH((ii ,  d2)  never  originates  on  a  regular  node,  and 

•  DH((ii,  ((2)  originates  in  B. 

Let  n  be  a  minimal  origination  point  of  DH((ii,d2)  in 
Note  that  all  origination  points  of  DH((ii,(i2)  are  on  ad¬ 
versary  strands,  including  n.  By  inspection  of  the  form  of 
adversary  strands,  it  must  be  that  the  term  of  n  is  in  fact 
DH((ii,  c?2)  itself.  (If  it  contained  DH((ii,  c?2)  as  a  subterm, 
then  DH(c?i,  ((2)  must  be  a  subterm  of  a  previous  node  on 
that  strand,  and  n  would  not  be  an  origination  point.) 

Let  be  the  set  of  all  nodes  in  B  which  are  “before” 
n.  That  is,  let 

B\n  =  {n\n  <B  n} 


2.  Vp  €  Parameter,  Vs  €  {0, 1}*,  Vt  €  {0, 
Pr  [r  ^  :  r(s)  =  t]  = 


Then  {i?,,}  is  a  random  function  family. 


Definition  18  A  hash  function  is  pseudorandom  if  for  all 
PPT  distinguishers  A,  for  all  polynomials  q,  and  for  all  suf¬ 
ficiently  large  g: 


Pr 


r^R^:  =  1 


Pr 


Gh(l'')  :  a'‘(  )(1'')  =  1 


< 


<?(v) 


That  is,  a  hash  algorithm  scheme  is  pseudo-random  if  a 
randomly-chosen  hash  operation  is  indistinguishable  from 


We  construct  an  adversary  A  that  breaks  the  compu¬ 
tational  Diffie-Hellman  assumption  in  the  following  way: 
A(p,  g,  g^,g^)  simulates  Ag|^,  with  the  following  important 
exceptions: 

1.  Instead  of  generating  its  own  group  Gp  ^  1^(77),  A 
will  use  the  group  specified  by  its  first  input  p  and  use 
its  second  input  g  as  a  generator. 

2.  Instead  of  the  table  T  being  empty  at  initialization,  it 
contains  an  entry  mapping  di  to  g^  and  an  entry  map¬ 
ping  d2  to  gy. 

3.  When  Ag]^  calculates  a  value  for  DH((ia,  df),  it  seems 
to  need  to  solve  the  Diffie-Hellman  problem  in  order  to 
do  so.  However,  we  can  avoid  this  calculation  by  con¬ 
sidering  the  kinds  of  nodes  which  would  cause  Ag|^  to 
calculate  a  value  for  DH((io,  df). 
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•  It  could  be  an  /  strand,  in  which  case  A  simulates 
M/  as  Agi^  would. 

•  If  could  be  a  regular  strand,  in  which  case  we 

know  that  is  not  a  subterm  of  the 

node  in  question.  (If  it  were,  then  it  would  have 
originated  there.)  Let  the  node  in  question  be 
+M.  Since  it  is  an  ingredient  of  the  term  but 
not  a  subterm,  we  can  see  by  examining  the  term 
structure  that  DH((ia,c(6)  ri  hash(A^)  ^  M. 
Therefore,  we  only  need  to  calculate  a  Diffie- 
Hellman  value  as  part  of  computing  a  hash.  Since 
the  hash  is  pseudorandom,  we  employ  a  trick:  in¬ 
stead  of  calculating  the  hash,  we  return  a  random 
value  instead.  That  is,  instead  of  calculating  M 
normally,  A  chooses  n'  ^  {0, It  returns 
n'  for  hash(iV),  and  store  n'  in  the  table  T  as 
the  value  for  hash(A^).  It  does  not  calculate  a 
value  for  N  or  any  of  its  ingredients  (including 
DH((ia,  db))  as  part  of  the  calculation  of  a  value 
for  M. 

When  finished  simulating  Ag|^,  the  adversary  A  selects 
the  value  calculated  for  the  node  n,  and  returns 
as  its  output. 


What  is  the  likelihood  that  the  new  algorithm  A  will  out¬ 
put  the  correct  value? 

Let  us  revisit  the  original  algorithm  Ag|^ .  We  know  from 
Theorem  7  that  for  some  polynomial  q: 


Pr  [Ag|^(r7)  computes  properly]  > 


1 

lid)' 


Note  that  we  can  modify  Ag]^  to  take  the  group,  the  gen¬ 
erator,  and  the  values  for  di  and  d2  as  inputs.  In  that  case, 
running  the  new  algorithm  on  random  inputs  is  exactly  the 
same  as  running  it  before  the  modifications: 


Pr[  (p,5)^IG(P); 

x,y^  {l,2,...,|G'p|}  : 

Af3|„  (p,  9, 9'",9^)  computes  properly  ]  >  ^ 

We  can  also  modify  Ag]^  to  output  g^,  where  (g^)  is  the 
value  computed  for  node  n.  Due  to  the  definition  of  proper 
computation: 


Pr[  (p,5)^IG(P); 

^  {l,2,...,|Gp|}; 

9^  ^Ab\Ap,9,9^9^)- 

9^^  =9^  ]>1M 

That  is,  the  original  algorithm  Agj^  can  calculate  the  Diffie- 
Hellman  value  g^^  with  some  polynomial  probability.  But 
we  are  running  A,  not  Will  the  new  algorithm  have 


the  same  advantage?  It  is  not  clear:  A  uses  random  val¬ 
ues  for  hashing,  while  the  original  algorithm  Ag|^  calculates 
the  values  by  application  of  the  hash  algorithm.  However, 
suppose  that  the  probability  of  success  for  A  were  negligi¬ 
ble  while  the  probability  of  success  for  Ag|^  is  non  non- 
negligible.  That  is,  let  be  the  probability: 

Pr[  (p,5)^IG(1"); 

{l,2,...,|Gp|}; 

9""  ^  l^B\Jp,9,9"',9^)  ■■ 

9XV  =  gz  ] 

and  P2  be  the  probability: 

Pr[  (p,g)^IG(l"); 

x,y^  {1,2,  ...,|Gp|}; 
g^  ^  k{p,  9,  g-,9y)  : 

gxy  =  g.  ] 


If  Pi  is  non-negligible  and  P2  is  negligible,  then 


py-py  =  \Pl 


P^\> 


1 

q'{g) 


Note  that  the  only  difference  between  the  two  experiments 
is  in  how  hashes  are  calculated.  In  P^,  hashes  are  calculated 
by  actually  calculating  the  pre-image  of  the  hash,  then  tak¬ 
ing  the  hash  under  a  randomly  chosen  hash  function.  In  the 
second  probability  P^,  hashes  are  taken  by  returning  ran¬ 
dom  values.  If  these  probabilities  are  non-negligibly  differ¬ 
ent,  then  we  can  distinguish  the  hash  scheme  from  a  random 
function  family.  Let  the  distinguisher  be: 

Ds()(?7)  = 

1.  Choose  random  (p.q)  ^  IG(1")  and  x, 
j/^{l,2,...,|Gp|}. 

2.  Simulate  A(p,  g,  g^ ,9^)  with  one  difference: 

instead  of  calculating  hash  values  by  any 
calculation,  use  the  oracle  g{-).  Note  that 
now  the  algorithm  D  knows  the  exponents 
of  g^  and  g^ ,  and  so  knows  the  exponent 
for  every  Diffie-Hellman  value  that  arises 
on  a  regular  strand.  Since  the  protocol  is 
conservative,  whenever  D  needs  to  calculate 
a  value  for  it  is  the  case  that 

either  da  or  db  arises  on  a  regular  strand. 
Hence,  whenever  D  needs  to  perform  the 
Diffie-Hellman  operation  as  part  of  the  sim¬ 
ulation,  it  knows  one  of  the  two  relevant  ex¬ 
ponents  and  the  calculation  is  easy. 

3.  When  the  simulation  returns  g^,  test  to  see 
if  =  g^y .  (Since  D  chose  x  and  y,  it  can 
perform  this  test.)  If  it  does,  return  1 .  Oth¬ 
erwise  return  0. 
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In  other  words,  this  algorithm  also  creates  a  value  for  each 
node  in  B\n-  However,  since  it  knows  the  exponent  for  ev¬ 
ery  Diffie-Hellman  value  d,  it  can  calculate  the  value  for 
DH((i,  d')  efficiently. 

Since  this  distinguisher  returns  1  with  probability  Pi'  if 
5  is  a  random  function  and  with  probability  if  p  is  a  ran¬ 
domly  chosen  hash  function,  this  can  distinguish  the  hash 
from  random.  Since  the  hash  family  is  pseudorandom,  we 
know  this  cannot  be. 

Hence,  the  advantage  of  the  original  algorithm  and 
the  advantage  of  the  new  algorithm  A  cannot  differ  by  a 
polynomial  fraction.  That  is,  for  all  polynomials  q',  for  suf¬ 
ficiently  large  p. 


\Pl 


P^\< 


1 

q'iv)' 


Hence,  for  all  polynomials  q' ,  for  sufficiently  large  p, 

1  1 


pv  > 

^  “  q{v)  q'iv) 


or  by  letting  q'  =  2q, 


pt  > 

^  -  2d(d) • 


In  other  words,  suppose  that  the  hash  function  is  pseudo¬ 
random,  and  that  the  adversary  strands  are  all  polynomial¬ 
time  computable  over  the  choices  of  hash,  encryption,  and 
signature  functions.  Then  if  there  exists  a  bundle  over  a 
conservative,  silent  protocol  that  violates  the  security  prop¬ 
erty  VH  in  Definition  10,  the  computational  Diffie-Hellman 
assumption  is  false  over  the  group  family  in  question.  Con¬ 
versely,  if  the  Diffie-Hellman  problem  is  hard  over  the 
group,  then  there  can  be  no  silent  and  conservative  bundle 
which  violates  the  security  condition  VH. 

1  Conclusion 

The  primary  purpose  of  this  work  is  two-fold; 

1 .  To  allow  the  Strand  Space  method  to  analyze  protocols 
that  use  the  Diffie-Hellman  key  exchange,  and 

2.  To  show  how  the  computational  model  can  be  used  to 
define  and/or  justify  new  security  assumptions  in  the 
formal  model. 

To  this  end,  we  have  formalized  a  security  condition  that 
summarizes  —  in  a  form  appropriate  for  Strand  Spaces  — 
the  security  provided  by  the  Diffie-Hellman  assumption.  To 
justify  this  condition,  we  provided  a  method  for  transform¬ 
ing  bundles  into  computational  algorithms.  Under  reason¬ 
able  assumptions  on  the  form  of  the  protocol  and  the  un¬ 
derlying  cryptography,  our  condition  can  be  violated  only  if 
the  computation  Diffie-Hellman  assumption  is  false. 


We  believe  this  represents  a  new  step  in  the  develop¬ 
ment  of  formal  cryptographic  analysis.  In  particular,  we 
believe  this  to  be  the  first  effort  to  use  the  computational 
model  to  incorporate  Diffie-Hellman  into  the  formal  model. 
Previous  work  on  protocols  that  use  Diffie-Hellman  [10] 
have  focused  on  finding  attacks  rather  than  proving  secu¬ 
rity.  Hence,  they  have  made  simplifying  assumptions  on 
the  powers  of  the  adversary  and  the  nature  of  possible  at¬ 
tacks.  (In  particular,  they  assume  that  the  only  way  to  solve 
the  Diffie-Hellman  problem  is  to  solve  the  corresponding 
Discrete  Log  problem  —  a  simplifying  assumption  much 
like  those  made  about  encryption.)  Our  work  is  focused  on 
proofs  of  security,  and  so  we  assume  only  what  can  be  justi¬ 
fied  in  terms  of  computational  cryptography.  Hence,  proofs 
in  our  framework  will  be  as  strong  as  the  Diffie-Hellman 
assumption.  (Note,  however,  our  work  is  not  as  widely  ap¬ 
plicable  as  that  in  [10]:  we  cannot  yet  consider  common 
group-keying  protocols,  for  example.) 

On  the  other  hand,  there  have  been  many  interesting  pa¬ 
pers  that  connect  the  formal  (i.  e.  Dolev-Yao)  model  with 
the  computational  approach[l,  2,  3,  8,  9].  However,  these 
papers  focus  on  long-standing  simplifications  and  abstrac¬ 
tions  Our  work  is  novel  in  that  it  used  the  computational 
approach  to  derive  and  justify  new  abstractions. 

We  would  like  to  see  this  work  continue  in  two  ways. 
First,  we  would  like  to  see  our  security  condition  translated 
to  settings  other  than  Strand  Spaces.  Furthermore,  we  hope 
that  the  security  condition  can  be  used  to  analyze  real-world 
protocols,  or  even  be  used  to  help  design  new  ones. 

Second,  we  would  like  to  see  if  the  assumptions  of  this 
paper  can  be  weakened.  Our  assumptions  regarding  the  un¬ 
derlying  cryptography  are  quite  weak:  only  that  the  hashing 
is  pseudorandom.  However,  this  weakness  on  the  cryptog¬ 
raphy  is  balanced  by  the  strength  of  the  formal  assumptions 
(Definitions  8  and  9).  Because  these  assumptions  are  so 
strong,  there  are  very  likely  secure  protocols  which  cannot 
yet  be  proven  secure  in  our  framework.  We  would  be  in¬ 
terested  to  see  if  these  conditions  could  be  weakened.  Al¬ 
ternately,  there  may  be  other  conditions  which  guarantee 
the  simulatability  of  the  regular  strands.  If  so,  we  would 
be  interested  in  seeing  them,  and  would  be  particularly  in¬ 
terested  in  knowing  if  there  are  necessary  and/or  sufficient 
conditions  for  simulatability. 

Lastly,  we  believe  that  the  main  technique  of  this  paper 
to  be  novel  and  highly  applicable.  We  would  very  much 
like  to  see  it  used  to  incorporate  other  primitives  into  formal 
models. 

A  Computational  Primitives 

Here,  we  define  the  computational  algorithms  used  in  the 
mapping  of  Section  6.  First,  some  helper  sets: 
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Definition  19  We  use  the  following  definitions: 

•  Parameter  =  M 

•  Coins  :  Parameter  — >  7^({0, 1}*) 

•  String  =  {0, 1}* 

We  define  Coins,  the  set  of  random  strings  to  be  a  func¬ 
tion  of  the  security  parameter  because  the  number  of  coin¬ 
flips  used  by  the  cryptographic  primitives  grow  with  the  se¬ 
curity  parameter.  In  general,  we  will  assume  that  for  all 
T]  G  Parameter, 

Coins(?7)  =  {0, 
for  some  polynomial  Q. 

Definition  20  An  symmetric  encryption  scheme  [7]  is  a 
triple  of  algorithms  (Ge,  E,  D).' 

•  Ge  :  Parameter  x  Coins  — >  SymmetricKey  is  the  (ran¬ 
domized)  key  generation  algorithm, 

•  E  :  Plaintext  x  Coins  x  SymmetricKey  — >  Ciphertext 
is  the  (randomized)  encryption  algorithm,  and 

•  D  :  String  x  SymmetricKey  ^  Plaintext  U  {_L}  is 
the  decryption  algorithm,  which  we  assume  returns  _L 
whenever  the  input  string  is  not  a  valid  encryption  un¬ 
der  the  given  key. 

SymmetricKey,  Plaintext  and  Ciphertext  vary  between  en¬ 
cryption  algorithms  and  implicitly  depend  on  the  parameter. 
It  is  required  that  for  any  message  length  i.  Plaintext  con¬ 
tains  either  all  messages  of  length  i  or  none  of  them.  Also, 
it  is  required  that  for  all  r  G  Coins(?7),  all  k  generated  by 
Ge(l’*,  r),  and  all  m  G  Plaintext(r7), 

D(E(to,  r,  k),k)  =  m. 

Definition  21  A  digital  signature  scheme  is  a  triple  of  al¬ 
gorithms:  (Gs,S,V).- 

•  Gs  :  Parameter  x  Goins  — >  SignatureKeys  x 
VerificationKeys  is  the  (randomized)  key  generation 
algorithm, 

•  S  :  String  x  Goins  x  SignatureKeys  ^  Signatures  is 
the  (randomized)  signature  algorithm,  and 

•  V  :  String  x  Signatures  x  VerificationKeys  — >  {0, 1} 
is  the  verification  algorithm 

It  is  required  that  for  all  r  G  Coins(?7),  all  (k,  k~^')  gener¬ 
ated  by  Gs(l'',  r),  and  all  m  G  String(?7), 

V(m,  S(m,  r,  k),k~^)  =  1. 


Definition  22  A  hash  algorithm  is  a  pair  of  algorithms 
(Gh,  H),  where: 

•  Gh  :  Parameter  x  Coins  ^  Hash Fu notions  generafes 
hash  functions  (and  is  randomized),  and 

•  H  :  HashFunctions  x  String  String  evaluates  the 
hash  function. 

For  every  random  string  r  G  Coins(?7),  all  strings  s  G 
{0, 1}*,  H(Gh(l'',  r),s)  will  be  a  string  of  length  Q(r]). 

We  will  write  Gh(l'')  for  the  probability  distribution  in¬ 
duced  by  Gh  (1'' ,  r)  where  r  is  chosen  randomly  (uniformly) 
from  Goins(?7). 
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